Capturing packets on a Windows machine and viewing in Wireshark

2023/1/3 English, IT topic

Hello, my name is Yamapan. In this tutorial, I will show you how to capture packets on a Windows machine and view them in Wireshark.

Capturing packets on a Windows machine

0.In an administrator command prompt, execute the following commands to clear cache information:

ipconfig /flushdns
nbtstat -R
certutil -urlcache * delete

1.Use the netsh command in an administrator command prompt to start capturing packets

netsh trace start capture=yes

2.Use the netsh command in an administrator command prompt to stop capturing packets:

netsh trace stop

  1. The packet capture file will be located at C:UsersAppDataLocalTempNetTracesNetTrace.etl.
Converting for viewing in WireShark

  1. Install etl2pcapng
    Download and extract the zip file from the etl2pcapng site (https://github.com/microsoft/etl2pcapng/releases).

  2. Execute the following command to convert the file:

    etl2pcapng.exe <パケットキャプチャーファイル> <出力ファイル>

  3. Verify that the converted file can be opened in Wireshark.